From Bounty to Exploit: Observations About Cybercriminal Contests

Cybercriminals have taken their own initiative to establish an informal way of conducting research and development by holding contests on forums. In this blog post, we go through the key takeaways we learned about these competitions.

These contests are diverse and range from public calls for articles that describe new technologies to hackathons that can improve cybercriminals’ defenses. We elaborate on the details of their operation here.

The following are our key takeaways:

1. Cybercriminals often use crowdsourcing as their research and development. These public contests on criminal forums work like “American Idol” or “America’s Got Talent” for malicious actors.
2. Unlike a traditional X-Prize competition, criminal evolutions do not need to be groundbreaking to be successful. Instead, they only need to evolve slightly beyond today’s defenses to have a massive midterm effect.
3. Over time, something groundbreaking could result from these contests. With more and more of this kind of activity happening, statistically it is only a matter of time until the increasing creativity of contest winners leads to something groundbreaking for the cybercrime industry. This is called the “black swan” effect.

Lacking formal research and development functions in most cases, cybercriminals often use the public for brainstorming purposes to discover new and creative attacks. These contests, which crowdsource the best ideas from the criminal community, also provide financial rewards for the most promising solutions. These contests have also been used in the criminal underground for some time now and involve everything from pure creative activities like graphic design and poetry contests to calls for more practical applications, such as recruiting operations and requests for help in other areas of the criminal business.

Lately, the more concerning contests that have been rising in prominence look for creative ways to craft cyberattacks. These range from looking for slight evolutions of current techniques (enough to bypass defenses in the short term) to searching for entirely new categories of criminal business models. We believe that these contests, when run often, can eventually yield a brand-new attack that can change the status quo. It is also clear that this method of using the public for research is a successful one for cybercriminals and that they are getting a good return on their investment, as we have already seen a steady increase in the amount of financial rewards being offered in exchange for successful submissions.

For example, the organizers of one competition only want offensive techniques that can be used immediately. In this contest, they are interested in the main stages of an intrusion, namely social engineering, vulnerability exploitation, privilege escalation, counteracting defense software, gaining persistence, and generic malware technology. The prize is also quite high at 1 bitcoin (US$ 19,030.80), reiterating that criminals are investing a large sum of money in order to produce new offensive capabilities.